Spike DDoS Attack Kit Could Put IoT Apps at Risk

DDoS attacks are now being packaged into kits that can target the Internet of things, according to new research from Akamai.

Akamai issued an advisory today about the new Spike distributed denial-of-service (DDoS) kit that is responsible for a number of recent high-bandwidth attacks.
Spike is responsible for attacks against multiple Akamai customers around the world, with one of the largest coming in at a peak of 215 gigabits per second.
DDoS attacks overall have been increasingly growing in volume in 2014. A recent report from VeriSign points to an 83 percent rise in the average DDoS attack size.
DDoS tool kits are common, and previous examples include Dirt Jumper and Zeus, said David Fernandez, head of the PLXsert, security engineering and research team at Akamai. Spike, which goes beyond earlier kits, includes a wide variety of techniques for both infrastructure- and application-based attacks, he told eWEEK.

Spike can be used on both x86- and ARM-based systems, which implies a risk to the emerging Internet of things (IoT) world. Many IoT devices leverage the ARM architecture, which means that Spike could potentially create a DDoS botnet from the IoT world of connected devices.

While Spike today can be used to build a powerful DDoS attack, it actually doesn't have support for one of the most dangerous forms of DDoS, a reflection attack. Many of the largest DDoS attacks on record abuse functionality in technologies, including Domain Name System (DNS) and Network Time Protocol (NTP), to reflect and amplify attack volume.
"[Spike] is an infection-based botnet construction, and currently does not have the capability to launch reflection attacks," Fernandez said.
In February, cloud security vendor CloudFlare reported a 400G-bps DDoS attack that leveraged NTP reflection to amplify the attack volume. By June, a report from NSFOCUS found that NTP-based DDoS reflection attacks were already on the decline after server administrators patched vulnerable systems.
With many exploit toolkits, the technology is bought and sold by attackers. In the case of Spike, it's not clear if that type of economic activity is happening at this point.
"We have not validated this toolkit being sold in the underground market," Fernandez said. "Actually, this toolkit is very new and has only been created approximately within the last 6 months."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.